Versions Compared

Old Version 8

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update per TFDEV- 1401
Image RemovedImage Added

📙 You will learn

How to fetch applications and scans, how scan dates are organized, and configuring certificates.

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.

Introduction

HCL AppScan on Cloud (ASoC) is a cloud app security offering that helps secure your organization’s Web, cloud, mobile, and other applications.

Login:

Code Block
/api/V2/Account/ApiKeyLogin

Logout:

Code Block
/api/V2/Account/Logout

Get Applications

ThreadFix uses this endpoint to pull applications from the ASoC instance and paginates this request.

Code Block
/api/V2/Apps

Get Scan:

Code Block
/api/V2/Apps/{{ApplicationId}}/Scans?$orderby=LastSuccessfulExecution/ScanEndTime%20desc&$top=1

 

Get Reports:

Code Block
/api/V2/Reports/Issues/Application/{{ApplicationId}}

Check Report Status:

Code Block
/api/V2/Reports/{{ReportId}}

Download Report:

Code Block
api/V2/Reports/Download/{{ReportId}}

  • Returns issues from ASoC based on query parameters

  • ThreadFix uses this to pull the Scanner, Status, DateCreated, LastUpdated, issueTypeId, Severity, Id, Path, SourceFile, IssueType, Cwe, and Element values, if present, for each finding from all new, open and reopened issues for the specified application.

  • ThreadFix paginates this request

Scan Dates

ThreadFix organizes the results from the issues endpoint by rounding down their Datecreated value to midnight and creating scans for each unique date.

Caveat: If one or more issues have a LastUpdated value, the newest of these values will be used when setting the scan's Scan Date.

Since these scans are dynamically created by ThreadFix, there is currently no distinction between the Scan Date and the Updated Date.

As of 2.8.6:

  • When importing from ASoC, ThreadFix will use the date/time a scan finished as the Scan Date

  • The most recent Last Updated date/time for the associated issues will be used as the scan’s Updated Date

  • In the scenario where an Application has no scans, but has issues, the Last Updated date/time will be used for both the Scan Date and Updated Date


Parsing Vulnerabilities

The JSON returned by ASE's issues endpoint maps directly to these ThreadFix Finding Mappings:

  • Native Id - Id

  • Vulnerability code - issueTypeId (if exists; otherwise issueType)

  • Severity code - Severity

  • Path - Path

  • Parameter - Element

Table of Contents

Table of Contents